CBA ABA OIG Letter Complaint Privacy 6-4-15

Associate Inspector General Melissa Heist

Office of Inspector General,Audits and Evaluations Division Board of Governors of the Federal Reserve System

Bureau of Consumer Financial Protection 20th Street and Constitution Avenue NW Mail Stop K-300

Washington,DC 20551


Dear Associate Inspector General Heist:


We would like to thank you and members of your staff for meeting with us on May 7,2015. As we indicated during our discussion,the Consumer Bankers Association1and the American Bankers Association2 support your efforts to oversee the programs and operations of the

Bureau of Consumer Financial Protection Bureau (Bureau), especially during these early years of the agency's existence.


We understand that your mission is "to provide independent oversight by conducting audits, investigations,and other reviews of the programs and operations of the Board and the improve economy, efficiency, and effectiveness, and [to] prevent and detect fraud, waste,and abuse."3 We agree that your decision to initiate the following audits is consistent with that mission -


  • Security Control Review of the CFPB's DT Complaint Database to "evaluate the adequacy of certain control techniques designed to protect data in the system from unauthorized, access, modification,destruction,or disclosure;" and


  • Audit of the CFPB's Public Consumer Complaint Database to "assess the effectiveness of the CFPB's controls over the accuracy and completeness of the public complaint database."4



1Founded in 1919, the Consumer Bankers Association (CBA) is the trade association for today'sleadersin retail banking·banking services geared toward consumers and small businesses.The nation's largest financial

institutions, as well as many regional banks, are CBA corporate members, collectively holdingwell over half of the

industry's total assets.CBA's mission is to preserve and promote the retailbanking industry as it strives to fulfillthe financial needs of the American consumer and small business.

2 The American Bankers Association (ABA) is the voice of the nation's $15 trillion bankingindustry, which is

composed of small,regional and large banks that together employ more than 2 million people, safeguard $11 trillion ln deposits and extend more than $8 trillion inloans.

3 See

4 Office of Inspector General,Full Work Plan "CFPB Ongoing Projects," available at

http: lj oig. fed eraI reserve. gov/reports/work -pla n-full . htm#C FPBOngoing.



As we discussed during the meeting,we respectfully ask your office to examine the controls adopted by the Bureau to protect consumers' personally identifiable information (Pll) and the measures employed to ensure the accuracy and integrity of the data and consumer complaint narratives published on the Consumer Complaint Database (Database). In particular,we urge you to investigate whether the Bureau has followed through on commitments made to conduct studies and to adopt controls that will promote the privacy of consumers' personal financial information and the security, accuracy, and integrity of consumers' complaint data and narratives to be posted on the public Database.


The Security Control Review of the Bureau's OT Complaint Database shouldinvestigate whether the Bureau tested the scrubbing standard or the opt-in disclosure.


In its Proposed Policy Statement and Request for Comment on the Disclosure of Consumer Complaint Narrative Data (Narrative Proposal),5 the Bureau stated it was "currently conducting  a study to further verify that the proposed scrubbing standard and methodology will sufficiently address concerns related to FOIA, the Privacy Act, the Dodd-Frank Act and the Bureau's confidentiality regulation."6 Further,the Bureau reported it was "currently conducting research and user testing to inform design decisions regarding the need for any additional information to help inform consumer consent."7


We believe the results of each of these studies are critical to the adequacy of the information security controls designed to protect the privacy of personal financial information that may be revealed by the publication of complaint narratives.However, neither of these studies {nor their conclusions) has been released to the public.Indeed, there is no public evidence that the Bureau has even conducted this research.


1.      The Final Policy Statement's discussion of the scrubbing standard


The Bureau's annpuncement of its decision to proceed with the publication of complaint narratives makes no reference to its previous promise to test the scrubbing standard. Instead, the Bureau describes the standard very generally, stating only -


The Bureau's Database scrubbing standard is modeled after the HIPPA Safe Harbor Method,which is generally considered to represent a best practice for de-identifying data. In addition to adopting most of the specific HIPPA

identifiers,the Bureau also plans to remove: (1) Demographic information such as gender, age, race and ethnicity; (2) appropriate analogues to HIPPA

identifiers in the consumer financial domain, e.g., credit card numbers; and



5 Disclosure of Consumer Complaint Narrative Data,Notice of Proposed Policy Statement, Federal Register Vol. 79, No.141, Pg.42767 (July 23, 2014).

6 Id.

7 Id. at 42769.


(3) identifiers which the Bureau knows appear in complaints and could reasonably be used to identify individuals, e.g., references to third parties other than the company that is the subject of the complaint. The scrubbing methodology contemplates a computer-based automated step and a quality assurance step or steps performed by human reviewers.8


The statement, "[t]he scrubbing methodology contemplates a computer-based automated step and a quality assurance step or steps performed by human reviewers" is silent on many issues that are crucial for gauging the effectiveness of the process, including, but not limited to the quality control protocols to be used,the number of reviewers,and the sufficiency of their training. As noted in ABA's letter dated January 12,2015, it is unclear whether the Bureau

intends to conduct the redaction process with agency staff or to contract out the redaction process. However,should the Bureau consider contracting out the redaction process, we would urge the OIG to audit the Bureau's third-party risk management controls and capabilities, as well as any independent contractor's procedures and controls, to guarantee that the handling of the considerable volume of personally sensitive financial information by a third-party will meet data quality and security standards.


Moreover,although the HIPAA Safe Harbor Method may be "generally considered to represent a best practice for de-identifying data," the HIPAA standard relates to medical information, which is not comparable to financial information. In addition, there are no publicly available medical records, while personal financial information is readily available in land records, bankruptcy records, and other judicial records such as family court records.This critical contrast

makes it easy for bad actors to match public financial information with the Bureau's public database to identify individual consumers who have filed complaints.9 These facts underscore the importance of the Bureau testingthe scrubbing standard and confirming its efficacy-not simply relying on the declaration that the HIPAA Safe Harbor Method is considered to represent a "best practice" for de-identifying data. Thus, we urge you to investigate whether the Bureau tested the scrubbing standard as promised and, if so, based upon your review of the test  results, t9 assess the adequacy of the information security standards and controls adopted by the Bureau.


2.  The Final Policy Statement's discussion of Consumer Consent


The risk of re-identification underscores the importance of adequate, effective disclosure. For this reason,we respectfully ask your office to investigate whether the Bureau has tested the


1Final Policy Statement, Federal Register Vol. 80, No. 56,Pg.15560 (March 24,2015).

  1. The re-identification threat has been recognized by a variety of sources, including the White House. A May 2014 White House report, Big Dato: Seizing Opportunities, Preserving Values, addressed the implications of re­ identification,which it defined as the process where previously de-identified information is re-connected to reveal the identity of the person.It noted a "mosaic effect" is used to infer a person's identity from datasets that do not

include personal identifiers.The Report cautions that, even if information does not include personal identifiers, "it is difficult to predict how technologies to re-identify seemingly anonymized data may evolve." See

http:U www. whitehouse . gov/sites/defaul t/files/docs/big data privacy report may 1 201 4.pdf.


opt-in disclosure as promised and,if so, whether the proposed disclosure adequately informs consumers of the risk of re-identification.


As noted above, in the Narrative Proposal,the Bureau stated,


The Bureau is currently conducting research and user testing to inform design decisions regarding the need for any additional information to help inform consumer consent, the precise language to most effectively communicate with the consumer, and at what point in the complaint process (at complaint submission or later in the complaint handling process) and where on the Bureau Web site the information in support of the opt-in consent should be displayed.10


Despite this clear statement, the Final Policy Statement also fails to mention whether any testing occurred and,if so,the impact on the Bureau's final disclosure statement.Indeed,the Final Policy Statement generally describes the consent process,but does not provide the public with the opt-in disclosure language. The Final Policy Statement merely states:


To obtain informed consumer consent, the Bureau plans to give consumers who submit a complaint the opportunity to check a consent box, with accompanying language that will state, among other things, and in plain language, that: (1) Whether or not consent is given will not otherwise impact how the Bureau handles the complaint; (2) if given, the consumer may thereafter inform the Bureau that the consumer withdraws consent at any time and the narrative will be removed from the Consumer Complaint Database; and (3) the Bureau will take reasonable steps to remove personal information from the complaint to address risk of re-identification.11


The Privacy Act protects information about individuals maintained by an agency, including,but not limited to, information regarding "financial transac ions...that contain his name, or the

identifying number, symbol,or other identifying particular assigned to the individual..." 12 This definition would include consumer complaint data and narratives published on the Database, thus creating an affirmative duty for the Bureau to keep the information confidential under Dodd-Frank Act § 1022(c)(8). The Privacy Act further states, "[n]o agency shall disclose any record which is contained in a system of records by any means of communication to any person...except pursuant to a written request by, or with the prior written consent of, the

individual to whom the record pertains."13





  1. Narrative Proposal,supra at 42769.
  2. Final Policy Statement, supra at 15583 (emphasis added).

12 s u.s.c.§ 552a(a)(4) .

13 5 U.S.C. § 552a(b) (emphasis added).


In the Final Policy Statement, the Bureau relies on consumer consent to overcome statutory and regulatory privacy requirements. However, consent is invalid absent adequate disclosure, and the effectiveness of the disclosure soliciting this consent is unknown. Further, third parties mentioned in the complaint do not have an opportunity to consent. In the context of your

audit, we respectfully ask you to investigate whether the Bureau tested the effectiveness of the opt-in disclosure and adopted adequate controls based on that testing.




We also support the OIG's audit of the "effectiveness of the [Bureau's] controls over the accuracy and completeness of the public complaint database." As discussed in our meeting,if the Bureau lacks controls over the adequate accuracy, integrity,and objectivity of complaint data (and narratives) the Database will fail to fulfill its purpose of fostering informed consumer choice. By publishing unverified complaints, taxpayer dollars spent creating and maintaining the Database are injeopardy of beingwasted.


Again,we appreciated the opportunity to meet with you and welcome future discussions to address these important consumer protection issues.



Steven I.Zeisel

Executive Vice President and General Counsel Consumer Bankers Association



Virginia O'Neill Senior Vice-President

American Bankers Association


Kate Larson

Regulatory Counsel

Consumer Bankers Association